Can Data Protection Survive if Europe Breaks Up?

There is a widespread belief that “the world is flat,” national borders don’t matter anymore and data processing is inexorably becoming more globalized. However, in Europe the forces of Euroscepticism and nationalism are throwing these beliefs into question.

At least two countries are seriously flirting with national breakup or exit from the EU. In Scotland, a referendum will be held on September 18 on independence from the UK, and the regional government of Catalonia also recently announced that it will hold a referendum in November regarding independence from Spain. In addition, UK Prime Minister David Cameron has announced that if his party wins the next general election in 2015, he will call a vote by the end of 2017 on whether the UK should leave the EU. Opinion polls in all these cases indicate that breakup or exit cannot be ruled out.

What would the implications be for data protection if an EU member state were to break up, or if a member state decided to leave the EU?

The legal implications of EU breakup are controversial, and some of the key issues would ultimately be a matter of negotiation, so that they cannot be fully predicted. The EU constitutional treaties foresee the possibility of a member state leaving the EU, while there is no provision made for the breakup of a member state. However, the key question is the same in both situations: Would EU data protection law continue to apply, and if not, what would this mean in practice?

I agree with those leading experts on international law who believe, with some caveats, that a region or state that decides to leave the EU would likely have to apply for re-admission, so that EU data protection law would no longer automatically apply in the breakaway entity. At a minimum, this would introduce considerable legal uncertainty into the data protection practices of companies operating in the EU.

The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.

Whatever criticisms it may have of the proposed EU General Data Protection Regulation, business has generally supported the idea of a more harmonized legal framework throughout Europe, which goal would be fatally undermined if any of these initiatives succeed. Exit from the EU could mean that, for example, companies might have to sign standard contractual clauses, or provide some other legal basis, for transferring personal data from the EU to Barcelona, Glasgow or London.

The confidence of individuals in electronic commerce would also be dealt a blow. Harmonization of data protection law is needed to help individuals understand and assert their data protection rights more easily, and they would become confused about their rights if their region or country exits from the EU.

The long-term political effect on the spread of EU data protection law around the world could be serious. Fragmentation of the EU would make it more difficult to reach an accommodation between the EU and the U.S. on important issues of data protection.

In addition, numerous countries have adopted data protection legislation based on EU law, and others are considering whether to do so. A breakup could result in other countries going their own way rather than using EU data protection law as a model, thus leading to further global fragmentation.

It is striking that in the national debates on this issue, there has been little or no mention of the effects that national breakup or EU exit would have on creating a more harmonized digital single market. The fact that many European politicians seem not to realize the heavy compliance burden that exit from the EU would put on companies indicates that they still do not “get” the economic importance of data processing and data protection.

Companies have so far also not paid much attention to the data protection implications of EU fragmentation, indicating either that they are oblivious to it, or that they regard it as a case of political force majeure over which they have no control.

These initiatives, and the fact that the new European Parliament to be elected this May will be even more Eurosceptic than in the past, present serious challenges to the goal of having a more harmonized data protection framework in the EU. As an unabashed Europhile, I hope that voters will realize the implications of national breakup and EU exit before it is too late.

Author

Tags

10 Comments

Articles of this sort can rather easily be mis-interpreted as indicationg a certain amount of data protection advocacy is actually protectionism.

comment
Justin • Apr 29, 2014

In the case of the UK, given that they have already transposed an EU Directive (95/46) on Data Protection into domestic law wouldn't it mean that this law would still be in effect even after secession from the EU? Alternately, if not, procedurally a law identical in substance could be passed to preserve the regime in a newly-independent UK. In both cases, it'd be difficult to see where or how the EU could fail to find such a law 'adequate' for purposes of international data transfer. What left of the international transfer uncertainty? The gap between secession and an adequacy finding?

comment
Javier • Apr 29, 2014

Dear Christopher,
Yes, thanks God there has been little or no mention of the effects that national breakup or EU exit because spekaing on a "EU breakup" for the (extremly different) issues which Scotland and the region of Catalonia are posing is -if you alow me- an exageration and a frivolity on your side.

comment
Christopher Kuner • Apr 30, 2014

Thanks for the comments to my post. As I anticipated, even mentioning the possibility of a country splitting apart or leaving the EU calls forth an emotional response from many in Europe. However, no one has been asking what the data protection implications of these developments would be, and I am happy to get the ball rolling. To respond to the points made: first, I do not believe that data protection advocacy is protectionism. Second: yes, the UK has implemented the EU Directive, but that implementation has been criticized by the European Commission and others, and given the political bad blood that would likely accompany a UK exit from the EU, I wonder whether the EU would move quickly to find the UK "adequate" (and even in the best cases, an adequacy finding typically takes years to prepare and enact). And third: while the specific issues regarding Scottish and Catalonian independence may indeed be different, the legal result would be the same, i.e., a region of a country leaving an EU member state (remember that the UK referendum isn't supposed to happen until 2017), with the implications I describe in my post).

comment
Kim • Apr 30, 2014

As the agreements with the EEA shows, whereby nearly everything adopted in the EU becomes directly applicable in countries like Norway, Europe is quite capable of extending its legal coverage beyond its own borders and I suppose arrangements would be made to accelerate the process or create this equivalency.
I think in the event of a break-up politically the situation would be such that all-hands on deck would be called for leading to a much faster response time than a standard adequacy procedure. One thing Europe abhors above all else is instability and uncertainty.
I also agree that Catalonia and Scotland aren't the best of examples as one of the underlying reasons why independence is being considered as viable is precisely because both are betting on being welcomed into the European Union fold quickly as they would upon creation likely meet all the minimum requirements for membership and have the acquis sorted too. There are many academics who would suggest that this is precisely what the EU as a construct eventually leads to. In any case, my understanding is that both regions are maintaining private contact, with the Member States to this effect.

comment
Pete • Apr 30, 2014

Yes - I too am surprised that they Scottish people have been spendingly so much time focusing on mundance issues such as whether they will continue to use sterling, the division of the national debt, the division of territorial waters, the removal of nuclear weapons etc., when they should be considering more fundamental issues such as .... data protection? With the greatest respect, this is the sort of thing that gives data protection lawyers a bad name by demonstrating a lack of wider commercial and political understanding.

comment
Mike Anderson • Apr 30, 2014

Christopher, I am afraid your article contains litte beyond entertainment value.
Since Snowden and a number of high profile security issues, consumer confidence in E-Commerce and data protection has been shaken immensely by factors not even mentioned in passing in your article and with little or no relevance to the issues you discuss.
As a practising Privacy Officer in Germany I see a deep and widespread mistrust already in governments, institutions and organizations from the standpoint of the data subjects. Frankly very few people still have ANY trust in coporations and governments to protect their privacy. Furthermore, the bone-headed stupidity of government reactions, including those of the US regime and the UK government in responding to concerns gives no reason to hope that political institutions have the will to regain confidence.
And from a NON-UK perspective I get the sense that people in the other EU states couldn't give a hoot whether the UK leaves .. in fact many perceive the UK as little more than a hinderance to the social and economic development of Europe. They may actuall prefer to see the Brits finals leave and to cease acting as a US proxy in EU affairs. To focus on purely business and institutional perspectives as you have done is really missing the bus !

comment
Peter Brown • Apr 30, 2014

The chances of the EU breaking up are probably on a par with the chances of the USA breaking up. In other words: much bluster and brimstone from limited quarters but no real appetite nor momentum from either quarter.
If there were ever a real risk of the "EU breaking up" (it does beg the question: "break into what?"), I think there would be far more serious and priority concerns - whatever we as privacy professionals would care to admit. I agree with "Pete"

comment
Axel Moreira • May 9, 2014

Leaving feelings aside, I think the point Christopher wants to make is pretty valid. A new state will have to go through the entire adequacy process for its law to be considered adequate of the protection of personal data in third countries (because is that what they will become). Argentina may serve as example. The approval process took 2 years to get such status. We should look at those potential "countries" as Russia, yes it has Data Privacy Laws, but at the end, you have to put other mechanisms in place to protect the data and comply with the legislation of the countries your company operates in.

comment
Nurul • May 9, 2014

Membership and partnership

Related Stories

Privacy Commissioner of Canada Daniel Therrien believes the question about whether privacy legislation should be amended is in the past. It is no longer should the country's privacy laws be amended, but what is the best way to do so, and with the announcement of the country's Digital Charter, the co...

If we were to think of the data protection world in a broader historical context, we could say we are entering a new age. The decades prior to the reform of the previous EU data protection framework were, let's say, pre-history. Basic rules governed the collection and use of personal information in ...

Artificial intelligence is rapidly transforming the global economy and society. From accelerating the development of pharmaceuticals to automating factories and farms, many countries are already seeing the benefits of AI.
Unfortunately, it is becoming increasingly clear that the European Union’s d...

The U.S. Congress is currently considering a number of competing bills aimed at implementing a federal privacy law. Although the details of each proposal vary, such a law would have a profound effect on how an individual’s personal data may be used, shared and protected. Still, the specifics of a ne...

As we approach the one-year anniversary of the EU General Data Protection Regulation's implementation date, organizations are still grappling with the detailed framework and all its corresponding guidance and documentation. Keeping track of it all is no small task. That's why the IAPP has compiled t...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.